[PATCH v5 1/3] Introduce seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Sun Sep 22 09:22:54 UTC 2019


On Sun, Sep 22, 2019 at 10:49:10AM +0200, Paul Chaignon wrote:
> On Sat, Sep 21, 2019 at 07:57:21PM +0300, Dmitry V. Levin wrote:
> > On Sat, Sep 21, 2019 at 07:02:24PM +0300, Dmitry V. Levin wrote:
> > [...]
> > > @@ -1759,6 +1768,11 @@ init(int argc, char *argv[])
> > >  		error_msg_and_help("PROG [ARGS] must be specified with -D");
> > >  	}
> > >  
> > > +	if (seccomp_filtering && !followfork) {
> > > +		error_msg("-n implies -f");
> > > +		followfork = 1;
> > > +	}
> > > +
> > >  	if (optF) {
> > >  		if (followfork) {
> > >  			error_msg("deprecated option -F ignored");
> > 
> > Looks like -n is currently not compatible with -p, compare e.g.
> > 
> > ./set_ptracer_any ./sleep 1 & ../strace -n -f -qq -e trace=exit_group -p $!
> > and
> > ./set_ptracer_any ./sleep 1 & ../strace    -f -qq -e trace=exit_group -p $!
> 
> No, it's not.  As far as I know, there is currently no way to attach a
> seccomp-bpf filter to a running process.  We'll need to add an error
> message.

Could we just ignore -n for processes attached using -p?


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190922/eda1e75f/attachment.bin>


More information about the Strace-devel mailing list